diff --git a/.circleci/config.yml b/.circleci/config.yml index 2f21943a24..65f2a401f4 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -6,7 +6,7 @@ orbs: parameters: go-version: type: string - default: '1.19.3' + default: '1.19.5' executors: node: diff --git a/CHANGELOG.md b/CHANGELOG.md index c7a94c221e..d33ae88271 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,18 @@ # SingularityCE Changelog +## 3.10.5 \[2022-01-17\] + +### Security Related Fixes + +- [CVE-2022-23538](https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7): + The github.com/sylabs/scs-library-client dependency included in SingularityCE + \>=3.10.0, \<3.10.5 may leak user credentials to a third-party service via HTTP + redirect. This issue is limited to `library://` access to specific Singularity + Enterprise 1.x or 3rd party library configurations, which implement a + concurrent multi-part download flow. Access to Singularity Enterprise 2.x, or + Singularity Container Services (cloud.sylabs.io), does not trigger the + vulnerable flow. See the linked advisory for full details. + ## 3.10.4 \[2022-11-10\] ### Bug Fixes diff --git a/INSTALL.md b/INSTALL.md index 9d9ebc403c..e51037c96e 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -56,7 +56,7 @@ _**NOTE:** if you are updating Go from a older version, make sure you remove `/usr/local/go` before reinstalling it._ ```sh -export VERSION=1.19.3 OS=linux ARCH=amd64 # change this as you need +export VERSION=1.19.5 OS=linux ARCH=amd64 # change this as you need wget -O /tmp/go${VERSION}.${OS}-${ARCH}.tar.gz \ https://dl.google.com/go/go${VERSION}.${OS}-${ARCH}.tar.gz @@ -114,11 +114,11 @@ cd singularity By default your clone will be on the `main` branch which is where development of SingularityCE happens. To build a specific version of SingularityCE, check out a [release tag](https://github.com/sylabs/singularity/tags) before -compiling. E.g. to build the 3.10.4 release checkout the -`v3.10.4` tag: +compiling. E.g. to build the 3.10.5 release checkout the +`v3.10.5` tag: ```sh -git checkout --recurse-submodules v3.10.4 +git checkout --recurse-submodules v3.10.5 ``` ## Compiling SingularityCE @@ -169,7 +169,7 @@ build and install the RPM like this: ```sh -export VERSION=3.10.4 # this is the singularity version, change as you need +export VERSION=3.10.5 # this is the singularity version, change as you need # Fetch the source wget https://github.com/sylabs/singularity/releases/download/v${VERSION}/singularity-ce-${VERSION}.tar.gz diff --git a/LICENSE.md b/LICENSE.md index 9be3abebdf..3a03a1b175 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -17,7 +17,7 @@ reserved. Copyright (c) 2017, SingularityWare, LLC. All rights reserved. -Copyright (c) 2018-2022, Sylabs, Inc. All rights reserved. +Copyright (c) 2018-2023, Sylabs, Inc. All rights reserved. Copyright (c) Contributors to the Apptainer project, established as Apptainer a Series of LF Projects LLC.